User-ID Timeout Values are Ignored by Windows User-ID Agent When Set by XML

Printer Friendly Page

Symptom

User-ID timeout values that are set, on a per user basis, by API XML are ignored by the Windows User-ID Agent. This causes IP-user mappings to remain visible in the User-ID Agent after the set timeout is reached. However, the Palo Alto Networks firewall configured to retrieve the IP-user mapping from the agent will correctly adhere to the set timeout values.

 

The following is an example entry of a User-ID timeout setting for the user, test\test1:

<uid-message>

<payload>

<login>

<entry name="test\test1" ip="10.10.10.10" timeout="3" />

</login>

</payload>

<type>update</type>

<version>1.0</version>

</uid-message>

 

Cause

The Windows User-ID Agent does not proactively time out entries. This is the expected behavior. The agent keeps track of each entry's timestamp and timeout value. When the agent receives a get-all or query-ip request, it will then look at the entry. At that point, it will delete the entry if the timeout has been exceeded.

 

owner: mcooke

Tags (5)
Comments

Marcus,

I believe there exist a configuration option within the UserID agent that forces removal of entries when the timeout value expires. Please double check that option and amend the cause statement.

Jye,

I am unaware of any such option.